WO2019092711A1 - A system and method for threat detection - Google Patents

A system and method for threat detection Download PDF

Info

Publication number
WO2019092711A1
WO2019092711A1 PCT/IL2018/051199 IL2018051199W WO2019092711A1 WO 2019092711 A1 WO2019092711 A1 WO 2019092711A1 IL 2018051199 W IL2018051199 W IL 2018051199W WO 2019092711 A1 WO2019092711 A1 WO 2019092711A1
Authority
WO
WIPO (PCT)
Prior art keywords
given
content
context
allowed
packets
Prior art date
Application number
PCT/IL2018/051199
Other languages
French (fr)
Inventor
Oren ASPIR
Original Assignee
Cyberbit Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cyberbit Ltd. filed Critical Cyberbit Ltd.
Publication of WO2019092711A1 publication Critical patent/WO2019092711A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Abstract

A threat detection system comprising a processor configured to: provide a rule set comprising one or more rules, the rule set usable for determining allowed contexts of content within a group of one or more packets originating from Operational Technology (OT) systems; obtain information of a given content within a given group of one or more given packets originating from the OT systems, the given content obtained using Deep Packet Inspection (DPI) of the given packets; and determine, using the rule set, if a context of the given content is allowed, wherein the context is obtained from one or more Information Technology (IT) systems associated with the given content.

Description

A SYSTEM AND METHOD FOR THREAT DETECTION
TECHNICAL FIELD
The invention relates to a system and method for threat detection.
BACKGROUND
Organizational networks can include: (a) Operational Technology (OT) systems, including hardware and software dedicated to detecting or causing changes in physical processes through direct monitoring and/or control of physical devices such as valves, pumps, sensors, etc.; and (b) Information Technology (IT) systems, being data-centric systems for the collection, organization, storage and communication of information.
Various threat detection systems monitor IT systems only, while other threat detection systems monitor OT systems only. However, combining information obtained from the OT systems with information obtained from the IT systems can enable improved threat detection, which no system known to the Applicant provides. There is thus a need in the art for a new method and system for threat detection.
References considered to be relevant as background to the presently disclosed subject matter are listed below. Acknowledgement of the references herein is not to be inferred as meaning that these are in any way relevant to the patentability of the presently disclosed subject matter.
US Patent Application No. 2016/0234167 (Engel et al.) published on August 11, 2016, discloses a method for network monitoring, including intercepting, in an anomaly detection module, a first data packet transmitted over a network in accordance with a predefined protocol to or from an entity on the network. Both a network address that is assigned to the entity and a strong identity, which is incorporated in the first data packet in accordance with the predefined protocol, of the entity are extracted from the intercepted first data packet. An association is recorded between the network address and the strong identity. Second data packets transmitted over the network are intercepted, containing the network address. Responsively to the recorded association and the network address, the second data packets are associated with the strong identity. The associated second data packets are analyzed in order to detect anomalous behavior and to attribute the anomalous behavior to the entity.
US Patent Application No. 2017/0099310 (Di Pietro et al.) published on April 6, 2017, discloses, in one embodiment, a device in a network captures a first set of packets based on first packet capture criterion. The captured first set of packets is provided for deep packet inspection and anomaly detection. The device receives a second packet capture criterion that differs from the first packet capture criterion. The device captures a second set of packets based on the second packet capture criterion. The device provides the captured second set of packets for deep packet inspection and anomaly detection. The anomaly detection of the captured first and second sets of packets is performed by a machine learning-based anomaly detector configured to generate anomaly detection results based in part on one or more traffic metrics gathered from the network and based further in part on deep packet inspection results of packets captured in the network.
US Patent Application No. 2016/0359695 (Yadav et al.) published on December
8, 2016, discloses, in one embodiment, a method includes receiving at an analytics module operating at a network device, network traffic data collected from a plurality of sensors distributed throughout a network and installed in network components to obtain the network traffic data from packets transmitted to and from the network components and monitor network flows within the network from multiple perspectives in the network, processing the network traffic data at the analytics module, the network traffic data comprising process information, user information, and host information, and identifying at the analytics module, anomalies within the network traffic data based on dynamic modeling of network behavior. An apparatus and logic are also disclosed herein.
US Patent No. 7,804,787 (Brandyburg et al.) published on September 28, 2010, discloses an apparatus and method for analyzing traffic on a network by monitoring packets sent between devices on the network and identifying applications occurring between devices on the network based on information derived from monitoring the packets. Techniques are provided to examine header information of the packets, such as information in the header of Internet Protocol (IP) packets, to identify applications that are occurring on the network. In some cases, information about the packet beyond the header information is examined to match a packet to a particular application. Using these techniques, a list is built of all of the applications occurring between devices on the network. Parameters may be generated to track one or more of the response time, latency and traffic volume associated with a particular device on the network.
US Patent Application No. 2017/0126745 (Taylor) published on May 4, 2017, discloses a system for providing intrusion detection for industrial control systems, comprising serial data links to communicate with serial-based networks, Ethernet interfaces to communicate with industrial and enterprise networks, a protocol recognition engine to break down an incoming data packet by protocol and integrate the data into an Ethernet framework, an industrial control system recognition application to detect intrusions, a traffic analytics application to analyze traffic activity for abnormal traffic activity, a logfile creation application to poll industrial equipment and create a logfile of equipment statuses, a long term system deviation analysis application to monitor raw data of the industrial equipment to create a profile of long term system activity, a rule set to allow data that matches the rule set and flag data that does not match the rule set, and an alerts engine to alert a system administrator of suspect activity.
GENERAL DESCRIPTION
In accordance of a first aspect of the presently disclosed subject matter, there is provided a threat detection system comprising a processor configured to: provide a rule set comprising one or more rules, the rule set usable for determining allowed contexts of content within a group of one or more packets originating from Operational Technology (OT) systems; obtain information of a given content within a given group of one or more given packets originating from the OT systems, the given content obtained using Deep Packet Inspection (DPI) of the given packets; and determine, using the rule set, if a context of the given content is allowed, wherein the context is obtained from one or more Information Technology (IT) systems associated with the given content.
In some cases, the processor is further configured alert a user of the threat detection system if the context of the given content is determined not to be allowed.
In some cases, the processor is further configured to obtain a content validity indication indicative of validity, or invalidity, of the content. In some cases, the content validity indication indicates that the content is valid, and wherein the processor is further configured alert a user of the threat detection system if the context of the given content is not allowed.
In some cases, the content validity indication indicates that the content is invalid, and wherein the processor is further configured to alert a user of the threat detection system only if the context of the given content is not allowed.
In some cases, the content validity indication indicates that the content is invalid, and wherein the processor is further configured to: obtain one or more parameters relating to the context; and alert a user of the threat detection system of the content being invalid, wherein the alert includes the parameters.
In accordance of a second aspect of the presently disclosed subject matter, there is provided a threat detection system comprising a processor configured to: provide a rule set of one or more rules usable for determining allowed content within a group of one or more packets originating from Operational Technology (OT) systems; obtain information of a plurality of given contents, each within a given group of one or more given packets originating from the OT systems, the given contents obtained using Deep Packet Inspection (DPI) of the respective given packets; determine, for each of the given contents, using the rule set, if the respective given content is allowed; and calculate a risk score, for each respective given content determined not to be allowed, using a context of the respective given content, wherein the context is obtained from one or more Information Technology (IT) systems associated with the respective given content. In accordance of a third aspect of the presently disclosed subject matter, there is provided a threat detection system comprising a processor configured to: provide a rule set of one or more rules usable for determining allowed content within a group of one or more packets originating from Operational Technology (OT) systems; obtain information of a plurality of given contents, each within a given group of one or more given packets originating from the OT systems, the given contents obtained using Deep Packet Inspection (DPI) of the respective given packets; determine, for each of the given contentsfor each of the given contents, using the rule set, if the respective given content is allowed; obtain, for each respective given content determined not to be allowed, one or more parameters relating to a context of the respective given content, wherein the context is obtained from one or more Information Technology (IT) systems associated with the respective given content; and alert a user of the threat detection system of each respective given content determined not to be allowed, wherein the alert includes the parameters.
In accordance of a fourth aspect of the presently disclosed subject matter, there is provided a threat detection method comprising: providing a rule set comprising one or more rules, the rule set usable for determining allowed contexts of content within a group of one or more packets originating from Operational Technology (OT) systems; obtaining, by a processor, information of a given content within a given group of one or more given packets originating from the OT systems, the given content obtained using Deep Packet Inspection (DPI) of the given packets; and determining, by the processor, using the rule set, if a context of the given content is allowed, wherein the context is obtained from one or more Information Technology (IT) systems associated with the given content.
In some cases, the method further comprises alerting a user if the context of the given content is determined not to be allowed.
In some cases, the method further comprises obtaining a content validity indication indicative of validity, or invalidity, of the content.
In some cases, the content validity indication indicates that the content is valid, and wherein the method further comprises alerting a user if the context of the given content is not allowed.
In some cases, the content validity indication indicates that the content is invalid, and wherein the method comprises alerting a user only if the context of the given content is not allowed.
In some cases, the content validity indication indicates that the content is invalid, and wherein the method further comprises: obtaining one or more parameters relating to the context; and alerting a user of the threat detection system of the content being invalid, wherein the alert includes the parameters.
In accordance of a fifth aspect of the presently disclosed subject matter, there is provided a threat detection method comprising: providing a rule set of one or more rules usable for determining allowed content within a group of one or more packets originating from Operational Technology (OT) systems; obtaining, by a processor, information of a plurality of given contents, each within a given group of one or more given packets originating from the OT systems, the given contents obtained using Deep Packet Inspection (DPI) of the respective given packets; determining, by the processor, for each of the given contents, using the rule set, if the respective given content is allowed; and calculating, by the processor, a risk score, for each respective given content determined not to be allowed, using a context of the respective given content, wherein the context is obtained from one or more Information Technology (IT) systems associated with the respective given content.
In accordance of a sixth aspect of the presently disclosed subject matter, there is provided a threat detection method comprising: providing a rule set of one or more rules usable for determining allowed content within a group of one or more packets originating from Operational Technology (OT) systems; obtaining, by a processor, information of a plurality of given contents, each within a given group of one or more given packets originating from the OT systems, the given contents obtained using Deep Packet Inspection (DPI) of the respective given packets; and determining, by the processor, for each of the given contents, using the rule set, if the respective given content is allowed; obtaining, by the processor, for each respective given content determined not to be allowed, one or more parameters relating to a context of the respective given content, wherein the context is obtained from one or more Information Technology (IT) systems associated with the respective given content; and alerting a user of the threat detection system of each respective given content determined not to be allowed, wherein the alert includes the parameters.
In accordance of a seventh aspect of the presently disclosed subject matter, there is provided a non-transitory computer readable storage medium having computer readable program code embodied therewith, the computer readable program code, executable by at least one processor of a computer to perform a method comprising: providing a rule set comprising one or more rules, the rule set usable for determining allowed contexts of content within a group of one or more packets originating from Operational Technology (OT) systems; obtaining, by a processor, information of a given content within a given group of one or more given packets originating from the OT systems, the given content obtained using Deep Packet Inspection (DPI) of the given packets; and determining, by the processor, using the rule set, if a context of the given content is allowed, wherein the context is obtained from one or more Information Technology (IT) systems associated with the given content.
In accordance of an eighth aspect of the presently disclosed subject matter, there is provided a non-transitory computer readable storage medium having computer readable program code embodied therewith, the computer readable program code, executable by at least one processor of a computer to perform a method comprising: providing a rule set of one or more rules usable for determining allowed content within a group of one or more packets originating from Operational Technology (OT) systems; obtaining, by a processor, information of a plurality of given contents, each within a given group of one or more given packets originating from the OT systems, the given contents obtained using Deep Packet Inspection (DPI) of the respective given packets; determining, by the processor, for each of the given contents, using the rule set, if the respective given content is allowed; and calculating, by the processor, a risk score, for each respective given content determined not to be allowed, using a context of the respective given content, wherein the context is obtained from one or more Information Technology (IT) systems associated with the respective given content.
In accordance of a ninth aspect of the presently disclosed subject matter, there is provided a non-transitory computer readable storage medium having computer readable program code embodied therewith, the computer readable program code, executable by at least one processor of a computer to perform a method comprising: providing a rule set of one or more rules usable for determining allowed content within a group of one or more packets originating from Operational Technology (OT) systems; obtaining, by a processor, information of a plurality of given contents, each within a given group of one or more given packets originating from the OT systems, the given contents obtained using Deep Packet Inspection (DPI) of the respective given packets; determining, by the processor, for each of the given contents, using the rule set, if the respective given content is allowed; obtaining, by the processor, for each respective given content determined not to be allowed, one or more parameters relating to a context of the respective given content, wherein the context is obtained from one or more Information Technology (IT) systems associated with the respective given content; and alerting a user of the threat detection system of each respective given content determined not to be allowed, wherein the alert includes the parameters.
BRIEF DESCRIPTION OF THE DRAWINGS
In order to understand the presently disclosed subject matter and to see how it may be carried out in practice, the subject matter will now be described, by way of non- limiting examples only, with reference to the accompanying drawings, in which:
Fig. 1 is a schematic illustration of an exemplary organizational network, in accordance with the presently disclosed subject matter;
Fig. 2 is a block diagram schematically illustrating one example of a threat detection system, in accordance with the presently disclosed subject matter;
Fig. 3 is a flowchart illustrating one example of a sequence of operations carried out for detecting threats, in accordance with the presently disclosed subject matter;
Fig. 4 is a flowchart illustrating one example of a sequence of operations carried out for risk scoring threats, in accordance with the presently disclosed subject matter; and
Fig. 5 is a flowchart illustrating one example of a sequence of operations carried out for enrichment of alerts, in accordance with the presently disclosed subject matter. DETAILED DESCRIPTION
In the following detailed description, numerous specific details are set forth in order to provide a thorough understanding of the presently disclosed subject matter. However, it will be understood by those skilled in the art that the presently disclosed subject matter may be practiced without these specific details. In other instances, well- known methods, procedures, and components have not been described in detail so as not to obscure the presently disclosed subject matter.
In the drawings and descriptions set forth, identical reference numerals indicate those components that are common to different embodiments or configurations.
Unless specifically stated otherwise, as apparent from the following discussions, it is appreciated that throughout the specification discussions utilizing terms such as "providing", "obtaining", "determining", "alerting", "calculating" or the like, include action and/or processes of a computer that manipulate and/or transform data into other data, said data represented as physical quantities, e.g. such as electronic quantities, and/or said data representing the physical objects. The terms "computer", "processor", and "controller" should be expansively construed to cover any kind of electronic device with data processing capabilities, including, by way of non-limiting example, a personal desktop/laptop computer, a server, a computing system, a communication device, a smartphone, a tablet computer, a smart television, a processor (e.g. digital signal processor (DSP), a microcontroller, a field programmable gate array (FPGA), an application specific integrated circuit (ASIC), etc.), a group of multiple physical machines sharing performance of various tasks, virtual servers co-residing on a single physical machine, any other electronic computing device, and/or any combination thereof.
The operations in accordance with the teachings herein may be performed by a computer specially constructed for the desired purposes or by a general-purpose computer specially configured for the desired purpose by a computer program stored in a non-transitory computer readable storage medium. The term "non-transitory" is used herein to exclude transitory, propagating signals, but to otherwise include any volatile or non- volatile computer memory technology suitable to the application.
As used herein, the phrase "for example," "such as", "for instance" and variants thereof describe non-limiting embodiments of the presently disclosed subject matter. Reference in the specification to "one case", "some cases", "other cases" or variants thereof means that a particular feature, structure or characteristic described in connection with the embodiment(s) is included in at least one embodiment of the presently disclosed subject matter. Thus, the appearance of the phrase "one case", "some cases", "other cases" or variants thereof does not necessarily refer to the same embodiment(s).
It is appreciated that, unless specifically stated otherwise, certain features of the presently disclosed subject matter, which are, for clarity, described in the context of separate embodiments, may also be provided in combination in a single embodiment. Conversely, various features of the presently disclosed subject matter, which are, for brevity, described in the context of a single embodiment, may also be provided separately or in any suitable sub-combination.
In embodiments of the presently disclosed subject matter, fewer, more and/or different stages than those shown in Fig. 3-5 may be executed. In embodiments of the presently disclosed subject matter one or more stages illustrated in Fig. 3-5 may be executed in a different order and/or one or more groups of stages may be executed simultaneously. Figs. 1-2 illustrate a general schematic of the system architecture in accordance with an embodiment of the presently disclosed subject matter. Each module in Figs. 1-2 can be made up of any combination of software, hardware and/or firmware that performs the functions as defined and explained herein. The modules in Figs. 1-2 may be centralized in one location or dispersed over more than one location. In other embodiments of the presently disclosed subject matter, the system may comprise fewer, more, and/or different modules than those shown in Figs. 1-2.
Any reference in the specification to a method should be applied mutatis mutandis to a system capable of executing the method and should be applied mutatis mutandis to a non-transitory computer readable medium that stores instructions that once executed by a computer result in the execution of the method.
Any reference in the specification to a system should be applied mutatis mutandis to a method that may be executed by the system and should be applied mutatis mutandis to a non-transitory computer readable medium that stores instructions that may be executed by the system.
Any reference in the specification to a non-transitory computer readable medium should be applied mutatis mutandis to a system capable of executing the instructions stored in the non-transitory computer readable medium and should be applied mutatis mutandis to method that may be executed by a computer that reads the instructions stored in the non-transitory computer readable medium.
Bearing this in mind, attention is drawn to Fig. 1, a schematic illustration of an exemplary organizational network, in accordance with the presently disclosed subject matter.
According to some examples of the presently disclosed subject matter, an organizational network 105 can be provided. The organizational network 105 can be comprised of one or more interconnected computerized networks, that can optionally be distributed over a plurality of geographical locations. The organizational network 105 can comprise Information Technology (IT) systems 110, such as IT devices 120-a, 120- b, ... 120-n (n being an integer), and Operational Technology systems 130, such as controllers 140-a, 140-b, 140-m (m being an integer, equal to n or not). Each controller (e.g. 140-a, 140-m) can optionally be connected to one or more physical devices, such as valve/s 152, thermometer/s 154, sensor/s 156, etc. It is to be noted that in some cases, a single controller (e.g. 140-a) can be connected to a plurality of physical devices (e.g. valve 152 and thermometer 154).
The organizational network 105 further comprises, or otherwise associated with, a threat detection system 160, that obtains information originating from the IT systems 110 and from the OT systems 130, and utilizes such information for various purposes, including identification of threats, as further detailed herein.
Fig. 2 is a block diagram schematically illustrating one example of a threat detection system, in accordance with the presently disclosed subject matter.
According to certain examples of the presently disclosed subject matter, threat detection system 160 can comprise a network interface 220 enabling connecting the threat detection system 160 to the organizational network 105, and enabling it to send and receive data sent thereto via the organizational network 105, including receiving packets originating from the OT systems 130, and/or information of the content within such packets, and/or information enabling determination of context of the packets originating from the OT systems 130, as further detailed herein.
Threat detection system 160 can further comprise or be otherwise associated with a data repository 230 (e.g. a database, a storage system, a memory including Read Only Memory - ROM, Random Access Memory - RAM, or any other type of memory, etc.) configured to store data, including, inter alia, a rule set usable for determining allowed contexts of content within a group of one or more packets originating from OT systems 130.
Threat detection system 160 further comprises a processing resource 210. Processing resource 210 can be one or more processing units (e.g. central processing units), microprocessors, microcontrollers (e.g. microcontroller units (MCUs)) or any other computing devices or modules, including multiple and/or parallel and/or distributed processing units, which are adapted to independently or cooperatively process data for controlling relevant threat detection system 160 resources and for enabling operations related to threat detection system 160 resources.
The processing resource 210 can one or more of the following modules: context validation module 240, risk score calculation module 250, alert enrichment module 260 and a deep packet inspection module 270. Context validation module 240 can be configured to perform a context validation process, for validating a context of content originating from the OT systems 130, as further detailed herein, inter alia with reference to Fig. 3.
Risk score calculation module 250 can be configured to perform a risk score calculation process, for calculating a risk score using context of content originating from the OT systems 130 and determined not to be allowed, as further detailed herein, inter alia with reference to Fig. 4.
Alert enrichment module 260 can be configured to perform an alert enrichment process, for enriching an alert raised upon identification of content that is not allowed with parameters relating to the context of the non-allowed content, as further detailed herein, inter alia with reference to Fig. 5.
Deep packet inspection module 270 can be configured to perform deep packet inspection using various methods and/or techniques, either known or proprietary.
Turning to Fig. 3, there is shown a flowchart illustrating one example of a sequence of operations carried out for detecting threats, in accordance with the presently disclosed subject matter.
According to certain examples of the presently disclosed subject matter, threat detection system 160 can be configured to perform a context validation process 300.
For this purpose, threat detection system 160 can be configured to provide a rule set comprising one or more rules, the rule set usable for determining allowed contexts of content within a group of one or more packets originating from OT systems 130 (block 310).
The rules set can include rules that define, for example, for certain actions performed on the OT systems 130, which entities, associated with the ΓΤ systems 110, are authorized to perform such actions (being identified by the content within a given group of one or more packets).
For example, if a first process in the operating system of a given IT system 110 issued a command that causes a given OT system 130 to perform a certain action (determined for example by DPI, e.g. by utilizing deep packet inspection module 270, of a given group of packets received by, and/or sent from, the given OT system 130), the action can be identified as allowed, whereas if a second process in the operating system of the given IT system 110 issued that command, it can be identified as not allowed. In this example, the identity of the process of the operating system of the IT system 110 that issued the command, is a context of the command (being, as indicated above, identified by the content within a given group of one or more packets).
As another example, if a suspicious behavior of a given process of a given IT system 110 that issued a command that causes a given OT system 130 to perform a certain action (determined for example by DPI, e.g. by utilizing deep packet inspection module 270, of a given group of packets received by, and/or sent from, the given OT system 130) was identified (e.g. using known methods and/or techniques), the action, that otherwise would have been identified as allowed, can now be identified as not allowed. That is, a valid command/action from a valid process can be identified as not allowed due to identification of the suspicious behavior of such process.
The threat detection system 160 is further configured to obtain information of a given content within a given group of one or more given packets originating from the OT systems 130, the given content obtained using DPI, e.g. by utilizing deep packet inspection module 270, of the given packets (block 320).
Having the information of the given content, threat detection system 160 can determine, using the rule set, if a context of the given content is allowed, wherein the context is external to the given packets that are associated with the content, and it is separately obtained from one or more IT systems 110 associated with the given content (e.g. the IT system/s 110 are the ones that triggered the content being sent to, and/or received by, the OT systems 130) (block 330). It is to be noted that the context cannot be directly determined by analyzing the given packets associated with the content, and it is obtained from a source other than the given packets.
One example of associating content with its respective context is by maintaining (e.g. within the IT systems 110, or at any other location, including for example in the data repository 230 of threat detection system 160 itself) (a) metadata associated with the content, such as endpoint identifier (e.g. an IP address of an endpoint that sent the content, an IP address of an endpoint designated by the content), packet sending time, hashes associated with the packets, and/or other information that enables associating context with respective content (e.g. other packet identifiers, the content itself, etc.), and (b) context associated with the content, which is, as indicated herein, not part of the content itself (e.g. which process triggered creation of the content, which user created the content, information of a behavior of the ΓΤ system 110 from which the content originated or to which the content is designated, etc.). The metadata associated with the content, and the context associated with the content are collected from the endpoints (e.g. IT systems 110) that send the content, and/or from endpoints (e.g. IT systems 110) designated by the content. Upon receiving metadata enabling identification of a given content (e.g. metadata associated with the given content), its context can be retrieved by comparing the received metadata with the maintained metadata, for retrieving its context (e.g. an IP address of the endpoint that sent a given content, along with packet sending time, can enable uniquely identifying the context associated with the given content). As part of block 330, the context is retrieved by the threat detection system 160 from its storage location.
In some cases, if the threat detection system 160 determined that the context of the given content is not allowed, it can provide a suitable alert to a user of the threat detection system 160 (block 340). The alert can indicate what content is determined not to be allowed, and optionally also information about the context (obtained from one or more I) systems 110 associated with the given content) of the content determined not to be allowed (e.g. one or more parameters relating to the context of the content).
It is to be noted that the context validation process 300 can take place irrespectively of the validity of the content itself. That is, in some cases the content itself can be identified as malicious (or as potentially being malicious), whereas in other cases, the content itself can be valid content that the threat detection system 160 does not identify as malicious (or as potentially being malicious). In both cases, whether the content is identified as malicious (or as potentially being malicious), or not, the context validation process 300 can take place, and identify content that is, by itself, valid, as malicious (or potentially malicious), based on its context.
As an example, assuming that a valid command was sent to a certain OT system 130, naturally it will not be identified as malicious by the threat detection system 160. However, in some cases, such valid command can originate from an IT system 110 of a user that is unauthorized to execute such command. Having the context of the identity of the IT system 110 or the user logged in to such IT system 110, can enable identifying malicious activities that are otherwise unidentifiable.
It is to be noted that the determination whether the content is valid or not can be made using various known methods and/or techniques. The threat detection system 160 can obtain a content validity indication that indicates whether the content is valid or not (e.g. whether the content is malicious (or potentially malicious), or not) for its use. As indicated above, the threat detection system 160 can alert a user even if the content validity indication indicates that the content is valid, upon a determination that the context is not allowed.
It is to be further noted that in some cases, the threat detection system 160 will alert a user only if the context of a given content is not allowed, even if the content is invalid (e.g. malicious).
It is to be noted that, with reference to Fig. 3, some of the blocks can be integrated into a consolidated block or can be broken down to a few blocks and/or other blocks may be added. Furthermore, in some cases, the blocks can be performed in a different order than described herein (for example, block 320 can be performed before block 310, etc.). It is to be further noted that some of the blocks are optional (e.g. block 340). It should be also noted that whilst the flow diagram is described also with reference to the system elements that realizes them, this is by no means binding, and the blocks can be performed by elements other than those described herein.
Attention is now drawn to Fig. 4, a flowchart illustrating one example of a sequence of operations carried out for risk scoring threats, in accordance with the presently disclosed subject matter.
According to certain examples of the presently disclosed subject matter, threat detection system 160 can be configured to perform a risk score calculation process 400.
For this purpose, threat detection system 160 can be configured to provide a rule set of one or more rules usable for determining allowed content within a group of one or more packets originating from OT systems 130 (block 410).
Threat detection system 160 can obtain information of a plurality of given contents, each within a given group of one or more given packets originating from the OT systems, the given contents obtained using DPI, e.g. by utilizing deep packet inspection module 270, of the respective given packets (block 420). That is, DPI, e.g. by utilizing deep packet inspection module 270, can be made on network traffic packets for obtaining content of the packets, and the content can be received by the threat detection system 160.
Using the rules set provided at block 410, threat detection system 160 can determine, for each of the given contents, if the respective given content is allowed or not (e.g. if the content is malicious, or potentially malicious according to the rules set) (block 430). For each respective given content determined not to be allowed in accordance with the rules set, threat detection system 160 can be configured to calculate a risk score, using a context of the respective given content, wherein the context is external to the given packets that are associated with the content, and it is separately obtained from one or more IT systems 110 associated with the respective given content, as detailed with reference to Fig. 3 (block 440). It is to be noted that the context cannot be directly determined by analyzing the given packets associated with the content, and it is obtained from a source other than the given packets.
It is to be noted that the context to which reference is made here has the same meaning as provided with reference to Fig. 3. Therefore, if a certain content originated from a first IT system 110, the risk score calculated for such content can be higher than the risk score that would have been calculated for such content had it originated from a second IT system 110. As another example, if a certain content originated from an account associated with a first user of the IT systems 110 the risk score calculated for such content can be higher than the risk score that would have been calculated for such content had it originated from an account associated with a second user of the IT systems 110 (e.g. in case where the first user is less likely than the second user to trigger commands that cause the content's packets to be sent), content to be from the OT systems 130.
It is to be noted that, with reference to Fig. 4, some of the blocks can be integrated into a consolidated block or can be broken down to a few blocks and/or other blocks may be added. Furthermore, in some cases, the blocks can be performed in a different order than described herein (for example, block 420 can be performed before block 410, etc.). It should be also noted that whilst the flow diagram is described also with reference to the system elements that realizes them, this is by no means binding, and the blocks can be performed by elements other than those described herein.
Turning to Fig. 5, there is shown a flowchart illustrating one example of a sequence of operations carried out for enrichment of alerts, in accordance with the presently disclosed subject matter.
According to certain examples of the presently disclosed subject matter, threat detection system 160 can be configured to perform an alert enrichment process 500.
For this purpose, threat detection system 160 can be configured to provide a rule set of one or more rules usable for determining allowed content within a group of one or more packets originating from OT systems 130 (block 510). Threat detection system 160 can obtain information of a plurality of given contents, each within a given group of one or more given packets originating from the OT systems, the given contents obtained using DPI, e.g. by utilizing deep packet inspection module 270, of the respective given packets (block 520). That is, DPI, e.g. by utilizing deep packet inspection module 270, can be made on network traffic packets for obtaining content of the packets, and the content can be received by the threat detection system 160.
Using the rules set provided at block 410, threat detection system 160 can determine, for each of the given contents, if the respective given content is allowed or not (e.g. if the content is malicious, or potentially malicious according to the rules set) (block 530).
For each respective given content determined not to be allowed in accordance with the rules set, threat detection system 160 can be configured to obtain one or more parameters relating to a context of the respective given content, wherein the context is external to the given packets that are associated with the content, and it is separately obtained from one or more IT systems 110 associated with the respective given content (block 540). It is to be noted that the context to which reference is made here has the same meaning as provided with reference to Fig. 3. Such context can include, for example, information of the ΓΤ system 110 from which triggered the commands that cause the content's packets to be sent, information of a specific user that was logged in to the IT system 110 that triggered the commands that cause the content's packets to be sent, etc. It is to be noted that the context cannot be directly determined by analyzing the given packets associated with the content, and it is obtained from a source other than the given packets.
Threat detection system 160 can be configured to alert a user of the threat detection system of each respective given content determined not to be allowed, where the alert includes the parameters (block 550).
It is to be noted that, with reference to Fig. 5, some of the blocks can be integrated into a consolidated block or can be broken down to a few blocks and/or other blocks may be added. Furthermore, in some cases, the blocks can be performed in a different order than described herein (for example, block 520 can be performed before block 510, etc.). It is to be further noted that some of the blocks are optional. It should be also noted that whilst the flow diagram is described also with reference to the system elements that realizes them, this is by no means binding, and the blocks can be performed by elements other than those described herein.
It is to be understood that the presently disclosed subject matter is not limited in its application to the details set forth in the description contained herein or illustrated in the drawings. The presently disclosed subject matter is capable of other embodiments and of being practiced and carried out in various ways. Hence, it is to be understood that the phraseology and terminology employed herein are for the purpose of description and should not be regarded as limiting. As such, those skilled in the art will appreciate that the conception upon which this disclosure is based may readily be utilized as a basis for designing other structures, methods, and systems for carrying out the several purposes of the present presently disclosed subject matter.
It will also be understood that the system according to the presently disclosed subject matter can be implemented, at least partly, as a suitably programmed computer.
Likewise, the presently disclosed subject matter contemplates a computer program being readable by a computer for executing the disclosed method. The presently disclosed subject matter further contemplates a machine-readable memory tangibly embodying a program of instructions executable by the machine for executing the disclosed method.

Claims

CLAIMS:
1. A threat detection system comprising a processor configured to:
provide a rule set comprising one or more rules, the rule set usable for determining allowed contexts of content within a group of one or more packets originating from Operational Technology (OT) systems;
obtain information of a given content within a given group of one or more given packets originating from the OT systems, the given content obtained using Deep Packet Inspection (DPI) of the given packets; and
determine, using the rule set, if a context of the given content is allowed, wherein the context is external to the given packets, and wherein the context is obtained, separately from the content, from one or more Information Technology (IT) systems associated with the given content.
2. The threat detection system of claim 1, wherein the processor is further configured alert a user of the threat detection system if the context of the given content is determined not to be allowed.
3. The threat detection system of claim 1, wherein the processor is further configured to obtain a content validity indication indicative of validity, or invalidity, of the content.
4. The threat detection system of claim 3, wherein the content validity indication indicates that the content is valid, and wherein the processor is further configured alert a user of the threat detection system if the context of the given content is not allowed.
5. The threat detection system of claim 3, wherein the content validity indication indicates that the content is invalid, and wherein the processor is further configured to alert a user of the threat detection system only if the context of the given content is not allowed.
6. The threat detection system of claim 3, wherein the content validity indication indicates that the content is invalid, and wherein the processor is further configured to:
obtain one or more parameters relating to the context; and
alert a user of the threat detection system of the content being invalid, wherein the alert includes the parameters.
7. A threat detection system comprising a processor configured to:
provide a rule set of one or more rules usable for determining allowed content within a group of one or more packets originating from Operational Technology (OT) systems;
obtain information of a plurality of given contents, each within a given group of one or more given packets originating from the OT systems, the given contents obtained using Deep Packet Inspection (DPI) of the respective given packets;
determine, for each of the given contents, using the rule set, if the respective given content is allowed; and
calculate a risk score, for each respective given content determined not to be allowed, using a context of the respective given content, wherein the context is external to the given packets, and wherein the context is obtained, separately from the content, from one or more Information Technology (IT) systems associated with the respective given content.
8. A threat detection system comprising a processor configured to:
provide a rule set of one or more rules usable for determining allowed content within a group of one or more packets originating from Operational Technology (OT) systems;
obtain information of a plurality of given contents, each within a given group of one or more given packets originating from the OT systems, the given contents obtained using Deep Packet Inspection (DPI) of the respective given packets;
determine, for each of the given contents, using the rule set, if the respective given content is allowed; obtain, for each respective given content determined not to be allowed, one or more parameters relating to a context of the respective given content, wherein the context is external to the given packets, and wherein the context is obtained, separately from the content, from one or more Information Technology (IT) systems associated with the respective given content; and
alert a user of the threat detection system of each respective given content determined not to be allowed, wherein the alert includes the parameters.
9. A threat detection method comprising:
providing a rule set comprising one or more rules, the rule set usable for determining allowed contexts of content within a group of one or more packets originating from Operational Technology (OT) systems;
obtaining, by a processor, information of a given content within a given group of one or more given packets originating from the OT systems, the given content obtained using Deep Packet Inspection (DPI) of the given packets; and
determining, by the processor, using the rule set, if a context of the given content is allowed, wherein the context is external to the given packets, and wherein the context is obtained, separately from the content, from one or more Information Technology (IT) systems associated with the given content.
10. The threat detection method of claim 9, further comprising alerting a user if the context of the given content is determined not to be allowed.
11. The threat detection method of claim 9, further comprising obtaining a content validity indication indicative of validity, or invalidity, of the content.
12. The threat detection method of claim 11, wherein the content validity indication indicates that the content is valid, and wherein the method further comprises alerting a user if the context of the given content is not allowed.
13. The threat detection method of claim 11, wherein the content validity indication indicates that the content is invalid, and wherein the method comprises alerting a user only if the context of the given content is not allowed.
14. The threat detection method of claim 11, wherein the content validity indication indicates that the content is invalid, and wherein the method further comprises:
obtaining one or more parameters relating to the context; and
alerting a user of the threat detection system of the content being invalid, wherein the alert includes the parameters.
15. A threat detection method comprising:
providing a rule set of one or more rules usable for determining allowed content within a group of one or more packets originating from Operational Technology (OT) systems;
obtaining, by a processor, information of a plurality of given contents, each within a given group of one or more given packets originating from the OT systems, the given contents obtained using Deep Packet Inspection (DPI) of the respective given packets;
determining, by the processor, for each of the given contents, using the rule set, if the respective given content is allowed; and
calculating, by the processor, a risk score, for each respective given content determined not to be allowed, using a context of the respective given content, wherein the context is external to the given packets, and wherein the context is obtained, separately from the content, from one or more Information Technology (IT) systems associated with the respective given content.
16. A threat detection method comprising:
providing a rule set of one or more rules usable for determining allowed content within a group of one or more packets originating from Operational Technology (OT) systems;
obtaining, by a processor, information of a plurality of given contents, each within a given group of one or more given packets originating from the OT systems, the given contents obtained using Deep Packet Inspection (DPI) of the respective given packets; determining, by the processor, for each of the given contents, using the rule set, if the respective given content is allowed;
obtaining, by the processor, for each respective given content determined not to be allowed, one or more parameters relating to a context of the respective given content, wherein the context is external to the given packets, and wherein the context is obtained, separately from the content, from one or more Information Technology (IT) systems associated with the respective given content; and
alerting a user of the threat detection system of each respective given content determined not to be allowed, wherein the alert includes the parameters.
17. A non-transitory computer readable storage medium having computer readable program code embodied therewith, the computer readable program code, executable by at least one processor of a computer to perform a method comprising: providing a rule set comprising one or more rules, the rule set usable for determining allowed contexts of content within a group of one or more packets originating from Operational Technology (OT) systems;
obtaining, by a processor, information of a given content within a given group of one or more given packets originating from the OT systems, the given content obtained using Deep Packet Inspection (DPI) of the given packets; and
determining, by the processor, using the rule set, if a context of the given content is allowed wherein the context is external to the given packets, and wherein the context is obtained, separately from the content, from one or more Information Technology (IT) systems associated with the given content.
18. A non-transitory computer readable storage medium having computer readable program code embodied therewith, the computer readable program code, executable by at least one processor of a computer to perform a method comprising: providing a rule set of one or more rules usable for determining allowed content within a group of one or more packets originating from Operational Technology (OT) systems;
obtaining, by a processor, information of a plurality of given contents, each within a given group of one or more given packets originating from the OT systems, the given contents obtained using Deep Packet Inspection (DPI) of the respective given packets;
determining, by the processor, for each of the given contents, using the rule set, if the respective given content is allowed; and
calculating, by the processor, a risk score, for each respective given content determined not to be allowed, using a context of the respective given content, wherein the context is external to the given packets, and wherein the context is obtained, separately from the content, from one or more Information Technology (IT) systems associated with the respective given content.
19. A non-transitory computer readable storage medium having computer readable program code embodied therewith, the computer readable program code, executable by at least one processor of a computer to perform a method comprising: providing a rule set of one or more rules usable for determining allowed content within a group of one or more packets originating from Operational Technology (OT) systems;
obtaining, by a processor, information of a plurality of given contents, each within a given group of one or more given packets originating from the OT systems, the given contents obtained using Deep Packet Inspection (DPI) of the respective given packets;
determining, by the processor, for each of the given contents, using the rule set, if the respective given content is allowed;
obtaining, by the processor, for each respective given content determined not to be allowed, one or more parameters relating to a context of the respective given content, wherein the context is external to the given packets, and wherein the context is obtained, separately from the content, from one or more Information Technology (IT) systems associated with the respective given content; and
alerting a user of the threat detection system of each respective given content determined not to be allowed, wherein the alert includes the parameters.
PCT/IL2018/051199 2017-11-09 2018-11-07 A system and method for threat detection WO2019092711A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IL255561A IL255561A (en) 2017-11-09 2017-11-09 A system and method for threat detection
IL255561 2017-11-09

Publications (1)

Publication Number Publication Date
WO2019092711A1 true WO2019092711A1 (en) 2019-05-16

Family

ID=66438378

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2018/051199 WO2019092711A1 (en) 2017-11-09 2018-11-07 A system and method for threat detection

Country Status (2)

Country Link
IL (1) IL255561A (en)
WO (1) WO2019092711A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11438351B1 (en) 2021-04-20 2022-09-06 Centripetal Networks, Inc. Efficient threat context-aware packet filtering for network protection

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120297482A1 (en) * 2011-05-16 2012-11-22 General Electric Company Systems, methods, and apparatus for network intrusion detection
US20130305357A1 (en) * 2010-11-18 2013-11-14 The Boeing Company Context Aware Network Security Monitoring for Threat Detection
US20170230402A1 (en) * 2016-02-09 2017-08-10 Ca, Inc. Automated data risk assessment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130305357A1 (en) * 2010-11-18 2013-11-14 The Boeing Company Context Aware Network Security Monitoring for Threat Detection
US20120297482A1 (en) * 2011-05-16 2012-11-22 General Electric Company Systems, methods, and apparatus for network intrusion detection
US20170230402A1 (en) * 2016-02-09 2017-08-10 Ca, Inc. Automated data risk assessment

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11438351B1 (en) 2021-04-20 2022-09-06 Centripetal Networks, Inc. Efficient threat context-aware packet filtering for network protection
US11444963B1 (en) * 2021-04-20 2022-09-13 Centripetal Networks, Inc. Efficient threat context-aware packet filtering for network protection
US11552970B2 (en) 2021-04-20 2023-01-10 Centripetal Networks, Inc. Efficient threat context-aware packet filtering for network protection
US11824875B2 (en) 2021-04-20 2023-11-21 Centripetal Networks, Llc Efficient threat context-aware packet filtering for network protection

Also Published As

Publication number Publication date
IL255561A (en) 2018-04-30

Similar Documents

Publication Publication Date Title
JP7274535B2 (en) System and method for network data characterization
CN110149350B (en) Network attack event analysis method and device associated with alarm log
US11068588B2 (en) Detecting irregularities on a device
US10530796B2 (en) Graph database analysis for network anomaly detection systems
US9032521B2 (en) Adaptive cyber-security analytics
US20220224723A1 (en) Ai-driven defensive cybersecurity strategy analysis and recommendation system
US11848966B2 (en) Parametric analysis of integrated operational technology systems and information technology systems
US9742788B2 (en) Event correlation across heterogeneous operations
US9712554B2 (en) Event correlation across heterogeneous operations
US10728264B2 (en) Characterizing behavior anomaly analysis performance based on threat intelligence
US20220201042A1 (en) Ai-driven defensive penetration test analysis and recommendation system
CN111274583A (en) Big data computer network safety protection device and control method thereof
US20140165207A1 (en) Method for detecting anomaly action within a computer network
CN113162953B (en) Network threat message detection and source tracing evidence obtaining method and device
KR20150091775A (en) Method and System of Network Traffic Analysis for Anomalous Behavior Detection
US20140344931A1 (en) Systems and methods for extracting cryptographic keys from malware
WO2019035120A1 (en) Cyber threat detection system and method
WO2019092711A1 (en) A system and method for threat detection
US20150222648A1 (en) Apparatus for analyzing the attack feature dna and method thereof
WO2019123449A1 (en) A system and method for analyzing network traffic
CN116155519A (en) Threat alert information processing method, threat alert information processing device, computer equipment and storage medium
US20190182337A1 (en) Peer connection monitoring of network applications
Boggs et al. Experimental results of cross-site exchange of web content anomaly detector alerts
CN117955729A (en) Flow-based malicious software detection method and device and electronic equipment
Bahaa-Eldin A Bio-inspired Comprehensive Distributed Correlation Approach for Intrusion Detection Alerts and Events

Legal Events

Date Code Title Description
DPE2 Request for preliminary examination filed before expiration of 19th month from priority date (pct application filed from 20040101)
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18876931

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 29.09.2021)

122 Ep: pct application non-entry in european phase

Ref document number: 18876931

Country of ref document: EP

Kind code of ref document: A1